New TencShell malware targets manufacturer through trusted third-party access

Security researchers have uncovered a previously undocumented malware implant called TencShell that was used in an attempted intrusion against a global manufacturing company.

Cato CTRL, the threat research team at Cato Networks, said it detected and blocked the attack in April 2026 before the attacker established durable remote control. The activity appeared in traffic tied to a third-party user connected to the customer’s environment.

The incident shows how a trusted business connection can become a bridge into a larger enterprise network. It also shows how attackers can adapt open-source offensive tools into custom malware without building everything from scratch.

What TencShell is

TencShell is a customized Go-based implant derived from Rshell, an open-source command-and-control framework. Cato named it TencShell because the malware combines remote shell behavior with command-and-control traffic that imitates Tencent-style web service paths.

The malware was not a simple downloader. Researchers said it had capabilities commonly seen in mature post-exploitation frameworks, including remote command execution, file access, proxying, pivoting, screen interaction, and in-memory payload execution.

Cato assessed the activity as suspected China-linked based on the Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns. However, the company also said those signals were not enough on their own for firm attribution.

Item	Details
Malware name	TencShell
Type	Customized Go-based implant
Derived from	Rshell open-source C2 framework
Targeted organization	Global manufacturing customer
Observed location	India site
Detection time	April 2026
Attribution	Suspected China-linked, not confirmed

The attack used a third-party connection

The attempted intrusion appeared in traffic associated with a third-party user that had legitimate access to the manufacturing customer’s environment. That makes the case more serious for companies that rely on suppliers, contractors, vendors, and regional partners.

Attackers often target trusted access paths because those connections already pass through some security gates. A compromised partner account, unmanaged device, or exposed third-party endpoint can give attackers a realistic route into a larger business network.

Cato said the initial infection vector remains unknown. The researchers said it may have involved phishing, a malicious download, or another web-based delivery method.

How the infection chain worked

The attack chain used several stages to reduce visibility. The first observed stage was a lightweight dropper that contacted attacker-controlled infrastructure using a fake User-Agent.

The dropper then retrieved a payload disguised as a .woff file. Websites normally use WOFF files for web fonts, so the request could look like a routine browser asset download during casual inspection.

Inside that font-looking resource was Donut shellcode. Donut is an open-source shellcode framework that can load Windows payloads directly in memory, reducing the need to write the final implant to disk.

1. A first-stage dropper ran after initial access.
2. The dropper made outbound requests using a fake User-Agent.
3. It retrieved a masqueraded .woff resource from attacker infrastructure.
4. The .woff-looking file carried Donut shellcode.
5. Donut reflectively loaded the TencShell implant in memory.
6. TencShell attempted command-and-control communication with attacker servers.

Why the fake font file matters

A .woff file usually looks harmless because browsers load font files all the time. That makes the technique useful for attackers trying to hide payload delivery inside normal web traffic.

Security tools may see a request that looks like a static web asset instead of a malware stage. Analysts may also overlook the request if it appears near normal web browsing or application traffic.

In this case, the file did not need to work as a real font. Its purpose was to disguise shellcode delivery and help the attacker move toward in-memory execution.

TencShell can support screen control and credential theft

Recovered module names and functions show that TencShell can support interactive remote-control behavior. Cato found references to command pulling, result pushing, WebSocket-based screen communication, screen metrics, mouse input, and keyboard input.

The implant also exposed a wider operator toolkit. Researchers identified capabilities for browser artifact access, file manipulation, process interaction, SOCKS5 proxying, persistence, cleanup, and User Account Control bypass.

For a manufacturing company, these capabilities can create risk beyond one workstation. An attacker could inspect files, steal browser session material, proxy traffic through the compromised endpoint, and attempt to reach internal systems that do not face the internet.

• Remote shell and native command execution
• Screen capture or remote screen interaction
• Keyboard and mouse simulation
• Chrome and Microsoft Edge artifact access
• SOCKS5 proxying for internal pivoting
• In-memory payload execution
• Registry-based persistence
• UAC bypass capability

Persistence used a Windows Run key

Cato found that TencShell included a persistence routine using the Windows Registry Run key. The malware referenced the value name OneDriveHealthTask.

That name appears designed to blend in with Microsoft or Windows-related entries during quick inspection. The routine also checked whether the persistence entry already existed before creating it.

This behavior points to an implant built for continued access rather than one-time execution. If the attack had succeeded, the attacker could have used persistence to regain access after a reboot.

Indicator type	Observed indicator
IP address	45[.]64[.]52[.]242
IP address	192[.]238[.]134[.]166
IP address	45[.]115[.]38[.]27
Domain	gin-tne-fahcesmukw[.]cn-hangzhou[.]fcapp[.]run
Registry key	\Software\Microsoft\Windows\CurrentVersion\Run
Registry value	OneDriveHealthTask

What security teams should monitor

Security teams should treat unusual outbound requests to unknown infrastructure as important, especially when they involve font-like resources outside a normal browser context. Repeated requests to the same unfamiliar endpoint can also point to staged payload delivery.

Defenders should also inspect endpoints used by third parties and contractors. These systems can become useful attack paths if they have access into internal business applications or private services.

Registry autorun entries with legitimate-looking names need review when they appear on systems tied to suspicious network activity. The same applies to unexpected WebSocket traffic, fake User-Agents, and payloads executed from memory.

1. Review third-party access paths into internal environments.
2. Flag unusual .woff requests that do not match normal browsing activity.
3. Monitor outbound traffic to unfamiliar IP addresses and rare domains.
4. Inspect Windows Run keys for suspicious autorun entries.
5. Check for unexpected WebSocket communication from user endpoints.
6. Restrict contractor access to only the systems they need.
7. Investigate fake User-Agent traffic and repeated payload-staging requests.

Why this incident matters

TencShell shows how attackers can repurpose open-source tooling into a practical enterprise intrusion framework. They do not always need a fully original malware family to create serious risk.

The attempted attack also highlights the importance of supply chain and third-party access controls. A trusted connection can carry threat activity into an environment if organizations do not monitor it closely.

Cato blocked the intrusion before the attacker established durable control, but the case still gives defenders a clear warning. Modern malware can hide behind normal-looking web traffic, run largely in memory, and use trusted access paths to get closer to sensitive systems.

FAQ